Project

General

Profile

Bug #2492

openssl beast workaround disabled in 1.4.32

Added by betelgeuse over 3 years ago. Updated over 3 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
2013-07-11
Due date:
% Done:

100%

Missing in 1.5.x:
No

Description

https://issues.apache.org/bugzilla/show_bug.cgi?id=53899

lighttpd is setting the same SSL_OP_ALL so beast mitigation is not on.

long ssloptions =
SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;

I checked trunk and there the option is not set on so hopefully just a matter of backporting.

Associated revisions

Revision 93fd9ea7 (diff)
Added by stbuehler over 3 years ago

[ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)

if ssl.empty-fragments is set to enabled, but the openssl version used
to compile lighttpd doesn't support empty fragments, a warning is
displayed (it might still work).

From: Stefan Bühler <>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2891 152afb58-edef-0310-8abb-c4023f1b3aa9

Revision 2891 (diff)
Added by stbuehler over 3 years ago

[ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)

if ssl.empty-fragments is set to enabled, but the openssl version used
to compile lighttpd doesn't support empty fragments, a warning is
displayed (it might still work).

From: Stefan Bühler <>

History

#1 Updated by stbuehler over 3 years ago

  • Priority changed from Urgent to Normal
  • Target version set to 1.4.33

svn trunk is "dead". For beast mitigation we recommend using TLS1.1+ or preferring RC4 (after TLS1.1+ ciphers) as cipher, see the 1.4.30 release announcement

As some implementations can't handle the empty fragment workaround I'm not sure I even want to change that. Afaics apache only added an option to reenable the workaround, not making it the default.

Perhaps we'll add an option too, but right now I don't think it will be active by default.

#2 Updated by stbuehler over 3 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2891.

Also available in: Atom